How to patch .NET DLLs?

There is no need to decompile to IL and recompile, nor is there any need to remove the public key. You can just patch the assembly directly.

Use ILdasm to determine the hex sequence that is to be patched and use a hex editor to search for the unique occurrences of those bytes and modify the IL op-codes directly. Use one of the many MSIL op-code references for a listing of them.

If the assembly is strong named, then you will need to patch that as well.
Yes for a winforms assembly the patching of the size of the strong name field in the COR header will do the trick, but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.

Also note that if there are other strong name assemblies referenced, they may also be required to be patched because strong named assemblies need to call other strong named assemblies.

Additionally if the assembly does some self checking this may also require patching, however it is very rarely implemented.

ZD

[Newbie_Cracker]

Quote:

Originally Posted by zacdac

For a winforms assembly the patching of the size of the strong name field in the COR header will do the trick, but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.

I didn't understand completely.
Here is the public key of the above mentioned DLL which IDA shows :

Code:

.assembly RadTreeView
{
  .hash algorithm 0x00008004
  .ver 4:0:0:0
  .originator = (
   00 24 00 00 04 80 00 00 94 00 00 00 06 02 00 00
   00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00
   CD 62 12 05 0E 7C CD 6F 51 AF 2C 41 FD CC 65 44
   AC E3 CF 79 6A 19 49 C5 80 C3 FF 52 7C AC 91 1D
   9B E0 5F AD 28 47 CE F4 E7 E5 EC 87 9F C9 4B E4
   9E 31 C7 97 C2 B8 39 25 C4 ED F6 AA 83 FA 78 A3
   5A 47 C0 F4 7B 44 A8 F9 3F D1 44 A9 B7 96 BF 74
   9E 8D FC B3 99 82 11 52 A9 5C 7A 37 EB A3 82 B6
   9D A5 8B 7A 1C 87 DA 5C ED 0B 7A 72 BA B1 3F 12
   52 C6 2F 50 DD 35 44 06 E6 F3 B0 4B AF F4 19 BD)
}

The bold numbers mean : RSA1

You mean I must patch 80 at 0x102c to 00 and bytes before RSA1? bytes before RSA1 or complete section of public key?
And patch to what? to 00s?

Regards.

[SystemeD]

Quote:

Originally Posted by zacdac

...but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.

Could you be more explicit?
Here is some of the output from ildasm for the target we are talking about, what must be patched for an aspnet assembly?
Thanks

Code:

.custom instance void DotfuscatorAttribute::.ctor(string) = ( 01 00 16 31 34 32 32 31 3A 31 3A 32 2E 30 2E 31   // ...14221:1:2.0.1
                                                                36 39 37 2E 31 38 34 38 35 )                      // 697.18485
  .custom instance void [mscorlib]System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = ( 01 00 00 00 00 ) 
  .publickey = (00 24 00 00 04 80 00 00 94 00 00 00 06 02 00 00   // .$..............
                00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00   // .$..RSA1........
                CD 62 12 05 0E 7C CD 6F 51 AF 2C 41 FD CC 65 44   // .b...|.oQ.,A..eD
                AC E3 CF 79 6A 19 49 C5 80 C3 FF 52 7C AC 91 1D   // ...yj.I....R|...
                9B E0 5F AD 28 47 CE F4 E7 E5 EC 87 9F C9 4B E4   // .._.(G........K.
                9E 31 C7 97 C2 B8 39 25 C4 ED F6 AA 83 FA 78 A3   // .1....9%......x.
                5A 47 C0 F4 7B 44 A8 F9 3F D1 44 A9 B7 96 BF 74   // ZG..{D..?.D....t
                9E 8D FC B3 99 82 11 52 A9 5C 7A 37 EB A3 82 B6   // .......R.\z7....
                9D A5 8B 7A 1C 87 DA 5C ED 0B 7A 72 BA B1 3F 12   // ...z...\..zr..?.
                52 C6 2F 50 DD 35 44 06 E6 F3 B0 4B AF F4 19 BD ) // R./P.5D....K....
  .hash algorithm 0x00008004
  .ver 4:0:1:0
}

I usually decompile, remove .publickey and .hash lines and then recompile.